FedRAMP authorized Microsoft's GCC High cloud on December 26, 2024. The U.S. government's cybersecurity certification body had spent 480 hours on the review. Eighteen "technical deep dive" sessions over nearly five years failed to verify Microsoft's encryption practices. Reviewers reported a "lack of confidence" in the product's security, a ProPublica investigation published March 18 reveals.
GCC High handles classified-adjacent information for the Justice Department, the Energy Department, and defense contractors including Boeing.
FedRAMP asked Microsoft to provide data flow diagrams showing where information is encrypted and decrypted in transit. The company took months to respond. It submitted a white paper describing its encryption strategy in general terms but omitting the specific points FedRAMP requested. Amazon and Google routinely provided this level of documentation for their own cloud products, FedRAMP team members told ProPublica.
We can't even quantify the unknowns, which makes us very uncomfortable.
— FedRAMP reviewer, via internal meeting minutes obtained by ProPublica
Brian Conrad, then FedRAMP's interim director, told Microsoft in October 2023 that the engagement was over. The company would need to start from scratch.
A new review team in summer 2024 reached the same conclusion. GCC High had "issues that are fundamental" to risk management.
The authorization came not because the questions were resolved but because GCC High was already deployed everywhere. The Justice Department had authorized it through an alternative FedRAMP pathway in 2020. Defense contractors adopted it because Pentagon rules required FedRAMP-compliant cloud products. By late 2024, rejecting GCC High would have disrupted the entire defense industrial base.
Richard Wakeman, one of Microsoft's chief security architects, celebrated in an online forum. "BOOM SHAKA LAKA," he wrote, posting a Leonardo DiCaprio meme from "The Wolf of Wall Street."
This is not security. This is security theater.
— Tony Sager, former NSA computer scientist (30+ years), now executive at the Center for Internet Security
Two cyberattacks exploiting Microsoft products preceded the authorization. In 2020, Russian state-sponsored hackers (SolarWinds/Nobelium) used a Microsoft product weakness to steal records from agencies including the National Nuclear Security Administration. In 2023, Chinese state-sponsored hackers (Storm-0558) infiltrated the lower-tier GCC and stole emails from Commerce Secretary Gina Raimondo and the U.S. ambassador to China.
Microsoft's own third-party assessors flagged concerns privately. FedRAMP had set up a confidential channel for assessors to report problems they could not raise with paying clients. Coalfire and later Kratos used it. FedRAMP placed Kratos on a "corrective action plan" for insufficient pushback on Microsoft.
ProPublica documented a revolving door between the Justice Department and Microsoft. Melinda Rogers, the DOJ official who authorized GCC High in 2020, was promoted to Chief Information Officer. At a December 2023 GSA meeting, Rogers sat beside Microsoft's FedRAMP liaison and criticized the review process. Microsoft hired Rogers in 2025. The company called it "absolutely no connection" to GCC High.
Lisa Monaco launched the DOJ's cyber-fraud initiative in 2021 as Deputy Attorney General. The program targets contractors who "knowingly" provide deficient cybersecurity products. In December 2024, the department indicted a former Accenture employee for allegedly misleading agencies about FedRAMP compliance. Monaco left government in January 2025. Microsoft hired her as president of global affairs.
ProPublica revealed last year that Microsoft used China-based engineers to maintain government cloud systems, including GCC High. Pentagon rules bar foreign nationals from accessing its most sensitive records. Microsoft stopped the practice after ProPublica's July 2025 report. The Pentagon is investigating.
FedRAMP itself has been gutted by the Trump administration's DOGE (Department of Government Efficiency). The program now runs with roughly two dozen employees and a $10 million annual budget, its lowest in a decade. Former staffers told ProPublica the program is now "little more than a rubber stamp for industry."
When there's a security issue, the public doesn't expect FedRAMP to say they're just a paper-pusher.
— Eric Mill, former GSA executive director for cloud strategy
Microsoft acknowledged the confrontation but insisted it provided "comprehensive documentation." A spokesperson added that the company "stands by our products." The GSA defended FedRAMP's governance reforms. The Justice Department declined to comment.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
